DNSBL clarification question

[Adam Katz <an...@khopis.com>]

The various eval:check_rbl() selectors are:
-notfirsthop  -firsttrusted  -untrusted  -untrusted

My understanding from the docs:

-notfirsthop  examines all IPs except the originating one, useful for
ignoring the user's direct IP, which could be a hotel or dialup IP.

-firsttrusted  examines the IP address of the relay that connected to
the outermost trusted relay (based on trusted_networks).  SA can trust
that this server exists, but it cannot trust any of the information it
provides (specifically, the relays/client it claims to have received
mail from).  This can be the relay skipped by -notfirsthop.

-untrusted  examines all IPs that are not trusted, excluding the
-firsttrusted relay but including those beyond it and the relay
skipped by -notfirsthop.

-lastexternal  examines the external host that connected to the
internal network, or at least the last external host with a public IP.

My confusion:

-firsttrusted  is "trusted" in that you can trust that the server is
valid and not forged.  It is /not/ a member of trusted_networks (this
is similar to the AWL vs whitelist issue!).  A name without the word
"trust" (like "-firstseen") would be preferable.

-untrusted  is also easily confused with "trust" from trusted_networks
though like firsttrusted, it refers to potential forgery (and it took
me a while to figure that out).  Renaming this to avoid the word
"trust" (e.g. "-maybeforged") would make it more clear.  Before
determining that "trust" refered to potential forgery, I couldn't
understand why the -firsttrusted relay wasn't included.

-lastexternal looks the same as -firsttrusted except it discards any
private IP (which I have to assume -firsttrusted does not do).  I
can't otherwise tell the difference.  Nice lookups use firsttrusted
instead of lastexternal, and I can't determine why.  Perhaps
lastexternal refers to the relay that connected to the last
(outermost) internal_network while firsttrusted refers to the relay
that connected to the outermost trusted_network?  There's more name
confusion here, too; "last" vs "first" depends on the direction you're
looking:  firsttrusted looks in the /opposite/ direction as lastexternal.

Why not have a flag for "not in trusted_networks" which would operate
like the union of what we currently call -untrusted and -firsttrusted
(or can I say 'mybl-untrusted-firsttrusted' ?) ... what would we call
such a thing?  -foreign  perhaps?

Also, "selectors" are never actually named anything; I've named them
that because the docs have headers like "selecting ..." for each one.
 They are described only as "place '-foo' at the end of the set name."
 This makes it hard to talk about them and harder to search for them
in the documentation.

-- 
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam

Re: DNSBL clarification question

[RW <rw...@googlemail.com>]

On Tue, 02 Jun 2009 16:26:08 -0400
Adam Katz <an...@khopis.com> wrote:


> -notfirsthop  examines all IPs except the originating one, useful for
> ignoring the user's direct IP, which could be a hotel or dialup IP.

You'd think, but in practice -lastexternal gets used. I'm not sure why. 

> My confusion:
> 
> -firsttrusted  is "trusted" in that you can trust that the server is
> valid and not forged.  It is /not/ a member of trusted_networks (this
> is similar to the AWL vs whitelist issue!).  A name without the word
> "trust" (like "-firstseen") would be preferable.

that sounds more confusing to me.

> -untrusted  is also easily confused with "trust" from trusted_networks
> though like firsttrusted, it refers to potential forgery (and it took
> me a while to figure that out).  Renaming this to avoid the word
> "trust" (e.g. "-maybeforged") would make it more clear.  


I'm not really sure that making these thing totally transparent is a
good idea. Most people don't need to understand them at all, and the
effort that's required to get them straight is about the minimum you
need to put in before tinkering with anything that needs such
knowledge. It makes sense in the end, and it's easy to remember once
understood.

> Perhaps
> lastexternal refers to the relay that connected to the last
> (outermost)

It last, as in "last external before entering the internal network",
not outermost looking from the spamfilter.

>internal_network while firsttrusted refers to the relay
> that connected to the outermost trusted_network? 

That's how it's supposed to work.

> There's more name
> confusion here, too; "last" vs "first" depends on the direction you're
> looking:  firsttrusted looks in the /opposite/ direction as
> lastexternal.

It's in the same direction, in the sense of the direction of the
handovers.
 
> Why not have a flag for "not in trusted_networks" which would operate
> like the union of what we currently call -untrusted and -firsttrusted
> (or can I say 'mybl-untrusted-firsttrusted' ?) ... what would we call
> such a thing?  -foreign  perhaps?

I'm pretty sure that's the default. For something like Spamhaus SBL you
don't specify any suffix at all.